Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 484542 (CVE-2013-4243) - <media-libs/tiff-4.0.6: Buffer overflow (CVE-2013-4243)
Summary: <media-libs/tiff-4.0.6: Buffer overflow (CVE-2013-4243)
Status: RESOLVED FIXED
Alias: CVE-2013-4243
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL: http://www.asmail.be/msg0055359936.html
Whiteboard: A2 [glsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2013-09-11 01:52 UTC by GLSAMaker/CVETool Bot
Modified: 2017-01-09 17:00 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2013-09-11 01:52:53 UTC
CVE-2013-4243 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4243):
  Heap-based buffer overflow in the readgifimage function in the gif2tiff tool
  in libtiff 4.0.3 and earlier allows remote attackers to cause a denial of
  service (crash) and possibly execute arbitrary code via a crafted height and
  width values in a GIF image.


Upstream bug: http://bugzilla.maptools.org/show_bug.cgi?id=2451
Comment 1 Yury German Gentoo Infrastructure gentoo-dev 2013-10-03 05:10:38 UTC
Potential patch available from Open Suse:
http://lwn.net/Articles/568120/

Patch also fixes following CVE's:
 This tiff security update fixes several buffer overflow
   issues and a out-of-bounds wirte problem.

   * tiff: buffer overflows/use after free problem
   [CVE-2013-4231][CVE-2013-4232][bnc#834477]
   * libtiff (gif2tiff): OOB Write in LZW decompressor
   [CVE-2013-4244][bnc#834788]
   * libtiff (gif2tiff): heap-based buffer overflow in
   readgifimage() [CVE-2013-4243][bnc#834779]


Upstream please confirm and Ebuild.
Comment 2 Samuli Suominen (RETIRED) gentoo-dev 2014-02-04 16:14:04 UTC
(In reply to Yury German from comment #1)
> Potential patch available from Open Suse:
> http://lwn.net/Articles/568120/
> 
> Patch also fixes following CVE's:
>  This tiff security update fixes several buffer overflow
>    issues and a out-of-bounds wirte problem.
> 
>    * tiff: buffer overflows/use after free problem
>    [CVE-2013-4231][CVE-2013-4232][bnc#834477]

this one seems to be covered already.

*tiff-4.0.3-r4 (23 Aug 2013)
*tiff-4.0.3-r5 (23 Aug 2013)

  23 Aug 2013; Samuli Suominen <ssuominen@gentoo.org>
  +files/tiff-4.0.3-CVE-2013-4231.patch, +files/tiff-4.0.3-CVE-2013-4232.patch,
  +tiff-4.0.3-r4.ebuild, +tiff-4.0.3-r5.ebuild:
  Fix for CVE-2013-4231 (and CVE-2013-4232) from upstream. See security bug
  #480466. The -r4 is for stabilization without multilib-minimal.eclass usage.
Comment 3 Samuli Suominen (RETIRED) gentoo-dev 2014-02-04 16:18:50 UTC
(In reply to Yury German from comment #1)
> Potential patch available from Open Suse:
> http://lwn.net/Articles/568120/
> 
> Patch also fixes following CVE's:
>  This tiff security update fixes several buffer overflow
>    issues and a out-of-bounds wirte problem.
> 
>    * tiff: buffer overflows/use after free problem
>    [CVE-2013-4231][CVE-2013-4232][bnc#834477]
>    * libtiff (gif2tiff): OOB Write in LZW decompressor
>    [CVE-2013-4244][bnc#834788]

This one is bug 486590. So lets keep this bug only for CVE-2013-4243. Just added to confusion.
Comment 4 Aaron Bauman (RETIRED) gentoo-dev 2016-03-05 08:09:09 UTC
@arches, please stabilize >=media-libs/tiff-4.0.5

@maintainer(s), once stabilization is complete please remove vulnerable versions, <media-libs/tiff-4.0.3
Comment 5 Jeroen Roovers (RETIRED) gentoo-dev 2016-03-06 08:23:48 UTC
(In reply to Aaron Bauman from comment #4)
> @arches, please stabilize >=media-libs/tiff-4.0.5

4.0.6 or 4.0.5?
Comment 6 Aaron Bauman (RETIRED) gentoo-dev 2016-03-06 10:02:17 UTC
@arches, please stabilize =media-libs/tiff-4.0.6
Comment 7 Aaron Bauman (RETIRED) gentoo-dev 2016-03-06 13:50:52 UTC
I wouldn't recommend changing the bug title to reflect <media-libs/tiff-4.0.6 as it implies that all versions less than that are vulnerable which is not the case here.  This can be applied to most bugs, as often unstable versions are available that mitigate certain vulnerabilities.

@arches, does this titling make it easier for you to track or use various tools?
Comment 8 Agostino Sarubbo gentoo-dev 2016-03-07 08:04:40 UTC
amd64 stable
Comment 9 Jeroen Roovers (RETIRED) gentoo-dev 2016-03-08 13:42:08 UTC
Stable for HPPA PPC64.
Comment 10 Markus Meier gentoo-dev 2016-03-11 16:39:52 UTC
arm stable
Comment 11 Tobias Klausmann (RETIRED) gentoo-dev 2016-03-14 18:50:38 UTC
Stable on alpha.
Comment 12 Agostino Sarubbo gentoo-dev 2016-03-15 16:40:43 UTC
x86 stable
Comment 13 Agostino Sarubbo gentoo-dev 2016-03-16 12:04:35 UTC
ppc stable
Comment 14 Agostino Sarubbo gentoo-dev 2016-03-19 11:37:07 UTC
sparc stable
Comment 15 Agostino Sarubbo gentoo-dev 2016-03-20 12:01:18 UTC
ia64 stable
Comment 16 Pacho Ramos gentoo-dev 2016-05-06 10:02:16 UTC
The remaining arches a not officially "stable" then maybe they should not block the subsequent "CVE" process here :/
Comment 17 Aaron Bauman (RETIRED) gentoo-dev 2016-07-09 13:30:13 UTC
Removing unstable arches from CC.

@maintainer(s), please cleanup vulnerable versions.
Comment 18 Markus Meier gentoo-dev 2016-07-10 08:50:27 UTC
Cleaned up vulnerable versions: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6f65cfb30904aa816aa0977ce4ccf188f8c31e1a
Comment 19 Aaron Bauman (RETIRED) gentoo-dev 2016-07-11 05:00:46 UTC
New GLSA request filed.
Comment 20 GLSAMaker/CVETool Bot gentoo-dev 2017-01-09 17:00:40 UTC
This issue was resolved and addressed in
 GLSA 201701-16 at https://security.gentoo.org/glsa/201701-16
by GLSA coordinator Thomas Deutschmann (whissi).